auth: Remove "shared" aka "global" secrets.

server/auth/authdb/snapshot.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 package authdb
 
 import (
         "fmt"
         "net"
         "strings"
         "time"
 
         "golang.org/x/net/context"
 
         "github.com/luci/luci-go/common/clock"
         "github.com/luci/luci-go/common/data/caching/lazyslot"
         "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/server/auth/identity"
         "github.com/luci/luci-go/server/auth/service/protocol"
         "github.com/luci/luci-go/server/auth/signing"
-        "github.com/luci/luci-go/server/secrets"
 )
 
 // OAuth client_id of https://apis-explorer.appspot.com/.
 const googleAPIExplorerClientID = "292824132082.apps.googleusercontent.com"
 
 // SnapshotDB implements DB using AuthDB proto message.
 //
 // Use NewSnapshotDB to create new instances. Don't touch public fields
 // of existing instances.
 type SnapshotDB struct {
         AuthServiceURL string // where it was fetched from
         Rev            int64  // its revision number
 
         tokenServiceURL string // URL of the token server as provided by Auth service
 
         clientIDs map[string]struct{} // set of allowed client IDs
         groups    map[string]*group   // map of all known groups
-        secrets   secrets.StaticStore // secrets shared by all service with this DB
 
         assignments map[identity.Identity]string // IP whitelist assignements
         whitelists  map[string][]net.IPNet       // IP whitelists
 
         // Certs are loaded lazily in GetCertificates since they are used only when
         // checking delegation tokens, which is relatively rare.
         certs lazyslot.Slot
 }
 
 var _ DB = &SnapshotDB{}
@@ skipping 73 matching lines @@
         // Second pass: fill in `nested` with pointers, now that we have them.
         for _, g := range authDB.GetGroups() {
                 gr := db.groups[g.GetName()]
                 for _, nestedName := range g.GetNested() {
                         if nestedGroup := db.groups[nestedName]; nestedGroup != nil {
                                 gr.nested = append(gr.nested, nestedGroup)
                         }
                 }
         }
 
-        // Load all shared secrets.
-        db.secrets = make(secrets.StaticStore, len(authDB.GetSecrets()))
-        for _, s := range authDB.GetSecrets() {
-                values := s.GetValues()
-                if len(values) == 0 {
-                        continue
-                }
-                secret := secrets.Secret{
-                        Current: secrets.NamedBlob{Blob: values[0]}, // most recent on top
-                }
-                if len(values) > 1 {
-                        secret.Previous = make([]secrets.NamedBlob, len(values)-1)
-                        for i := 1; i < len(values); i++ {
-                                secret.Previous[i-1] = secrets.NamedBlob{Blob: values[i]}
-                        }
-                }
-                db.secrets[secrets.Key(s.GetName())] = secret
-        }
-
         // Build map of IP whitelist assignments.
         db.assignments = make(map[identity.Identity]string, len(authDB.GetIpWhitelistAssignments()))
         for _, a := range authDB.GetIpWhitelistAssignments() {
                 db.assignments[identity.Identity(a.GetIdentity())] = a.GetIpWhitelist()
         }
 
         // Parse all subnets into IPNet objects.
         db.whitelists = make(map[string][]net.IPNet, len(authDB.GetIpWhitelists()))
         for _, w := range authDB.GetIpWhitelists() {
                 if len(w.GetSubnets()) == 0 {
@@ skipping 118 matching lines @@
 
                 return found
         }
 
         if gr := db.groups[groupName]; gr != nil {
                 return isMember(gr), nil
         }
         return false, nil
 }
 
-// SharedSecrets is secrets.Store with secrets in Auth DB.
-//
-// Such secrets are usually generated on central Auth Service and are known
-// to all trusted services (so that they can use them to exchange data).
-func (db *SnapshotDB) SharedSecrets(c context.Context) (secrets.Store, error) {
-        return db.secrets, nil
-}
-
 // GetCertificates returns a bundle with certificates of a trusted signer.
 func (db *SnapshotDB) GetCertificates(c context.Context, signerID identity.Identity) (*signing.PublicCertificates, error) {
         val, err := db.certs.Get(c)
         if err != nil {
                 return nil, err
         }
         trustedCertsMap := val.Value.(certMap)
         return trustedCertsMap[signerID], nil
 }
 
@@ skipping 56 matching lines @@
                 return nil, fmt.Errorf("the token server %s didn't provide its service account name", db.tokenServiceURL)
         }
 
         id, err := identity.MakeIdentity("user:" + certs.ServiceAccountName)
         if err != nil {
                 return nil, fmt.Errorf("invalid service_account_name %q in fetched certificates bundle - %s", certs.ServiceAccountName, err)
         }
 
         return certMap{id: certs}, nil
 }